Maybe the token format should be specified?

[anderspitman]

I'm interested in prototyping FedCM in LastLogin, a free, privacy-focused login provider. I'm new to FedCM so sorry if I'm missing anything obvious. The draft reads:

The content of the token is opaque to the user agent and can contain anything that the IDP would like to pass to the RP to facilitate the login. For this reason the RP is expected to be the party responsible for validating the token passed along from the IDP using the appropriate token validation algorithms defined. One example of how this might be done is defined in OIDC Connect Core § IDTokenValidation.

So won't RPs have to know specifically what token format LastLogin is using? This seems like it wouldn't work very well for smaller IdPs and self-hosted OIDC servers.

[samuelgoto]

I'm interested in prototyping FedCM in LastLogin

Oh wow, LastLogin looks pretty cool! I played a bit with it and created an account on https://forum.indiebits.io/ with my github account! Pretty cool!

It reminds me a bit of https://hello.coop/

So won't RPs have to know specifically what token format LastLogin is using?

I believe so, but I think that's by design.

But, isn't it already the case that LastLogin's RPs already have to know what token format LastLogin is currently using?

This seems like it wouldn't work very well for smaller IdPs and self-hosted OIDC servers.

I think this problem comes up when we enable IdP Registration, but it doesn't seem like it is a problem until the RP needs to enumerate IdPs.

That is, when RPs enumerate / anticipate the IdPs, the RP is forced to know what token format each of the IdPs that they support produce, right?

[anderspitman]

Oh wow, LastLogin looks pretty cool! I played a bit with it and created an account on https://forum.indiebits.io/ with my github account! Pretty cool!

It reminds me a bit of https://hello.coop/

Thanks for checking it out! hello.coop looks great too. Do you know if there's any documentation on how to integrate with it? Very curious how well it would work for logging in from self-hosted apps.

EDIT: found it: https://www.hello.dev

I think this problem comes up when we enable https://github.com/fedidcg/FedCM/issues/240, but it doesn't seem like it is a problem until the RP needs to enumerate IdPs.

Ah ok so the idea is that these parameters get communicated during registration? That seems reasonable, though I think it would be simpler if you could just assume it would be an OIDC ID token.

Why can't you just have the token be opaque to the RP as well and have it hit an endpoint on the IdP? Performance?

[samuelgoto]

Why can't you just have the token be opaque to the RP as well and have it hit an endpoint on the IdP? Performance?

I'm not sure I follow: the token is opaque (as far as the browser is concerned), and it could be an access_token that the RP could use to hit and endpoint on the IdP.

[anderspitman]

Maybe I'm reading it wrong. I thought the token is opaque to the browser, but needs to be understood by the RP. You're saying it's also opaque to the RP? In that case the RP shouldn't need to understand the format being used, right?

[samuelgoto]

Maybe I'm reading it wrong. I thought the token is opaque to the browser, but needs to be understood by the RP. You're saying it's also opaque to the RP?

Ah, no, apologies for the confusion: the token is NOT opaque to the RP (the RP needs to know how to decode it).

[anderspitman]

Sweet, thanks for the clarification! I believe that answers my question.